How to securely trigger Azure Functions from Azure Logic Apps

How to securely trigger Azure Functions from Azure Logic Apps

Last updated on July 19, 2024

Whenever I’ve previously instructed other developers on how to call an Azure function from an Azure logic app, I’ve often found myself referencing a subsection of an article I’ve previously written with some modifications. After doing it a few times, I figured the instructions would be easier to follow if I included only the required steps in a separate article. So, here we are. In addition, the steps detailed in this article are more generalized instead of focusing on the original specific scenario.

At this point, I already assume that you have an existing Azure Logic App. So, what we’ll do during this article is create the Azure Function app and then integrate the two while following security best practices.

Table of Contents

  1. Enable the Azure Logic App managed identity
  2. Create an Azure Function App
  3. Enable Entra ID authentication for the Function App
  4. Create an HTTP triggered function
  5. Finalize the Logic App implementation

Enable the Azure Logic App managed identity

Let’s do some configurations on your already existing logic app. First, we must enable the logic app’s Managed identity to allow the logic app to trigger the Azure function, which we’ll create in the next step. Then, after the managed identity has been enabled, we can permit it to trigger the function. But don’t think about it too much now; let’s focus on enabling the managed identity.

  1. Navigate to the logic app resource on Azure Portal.
  2. Open the Identity blade.
  3. Change the system assigned managed identity Status to On.
  4. Click on Save.

Create an Azure Function App

Next, let’s navigate to the resource group level and create a new Function App in the same resource group as where your logic app is located (not required, but you most likely want to do this) with the following settings:

  1. Ensure the correct subscription and the resource group are selected.
  2. Give your function app a descriptive name (according to your organization’s naming conventions). This will also function as the URL prefix.
  3. You probably want to publish your solution as Code.
  4. Select the runtime stack that matches your code, and use the latest version.
  5. Change the Region to the same one you chose when creating the resource group.
  6. You probably want to use the recommended Operating system and Consumption as the Plan type. Of course, if you know you want to use Linux and another plan type, you should change the settings to match your needs.
  7. Go to the Hosting tab, click on Create new and rename the storage account according to your organization’s naming conventions.
  8. Go to the Monitoring tab, click on Create new and rename the application insights resource (and a new workspace) according to your organization’s naming conventions.
  9. You may optionally tag the resource. Otherwise, click Review + create.

After the function app deployment has finished, click on Go to resource.

Enable Entra ID authentication for the Function App

We will prevent unauthorized access to the function by enabling Entra ID authentication for our function app. We will later assign permissions to the function for our Logic App, so it will be able to execute the function. However, any outsider attempting to access our function URL will receive an Unauthorized response instead.

  1. Go to the Authentication blade.
  2. Click the big blue button to add an identity provider.
  3. Select Microsoft.
  4. For the the Client application requirement, select Allow requests from specific client applications and specify the logic app you created earlier.
  5. Choose to return status code 401 Unauthorized for unauthenticated requests.
  6. Otherwise, you can keep the default settings (create a new app registration with the same name as the function app, support only the current single tenant, require authentication and enable token store).
  7. Click on Add

After adding the identity provider, click on the Edit icon. Next, we need to perform the following changes to ensure authentication from our logic app to our function app succeeds.

  1. Remove the 2.0 from the end of the Issuer URL
  2. In the Allowed token audiences list, copy the GUID visible on the first row (after api://) and add the GUID it to its separate row immediately below the API URL like in the picture below.

Create an HTTP triggered function

For an Azure logic app to directly trigger an Azure function, the function needs to use an HTTP trigger. So let’s create a function like that!

  1. Open the Functions blade.
  2. Create a new function with the following settings:
    • Select the Development environment you want to use.
    • Select the HTTP trigger template.
    • Give your function a descriptive name.
    • Change the Authorization level to Anonymous. We are already using Entra ID for authorization which is more secure than using keys. Changing the level to Anonymous removes the unnecessary function key from the URL.
    • Click on Create.
  3. You can now add your code to the function.

Finalize the Logic App implementation

The last thing we need to do to get our complete process to work is to add the action to our logic app that will trigger the Azure function.

  1. On Azure Portal, return to the logic app resource.
  2. Take it into Edit mode.
  3. Click the button to add a new step.
  4. Search for function and select Azure Functions from the search results.
  5. Your Azure function app should be listed. Click on it.
  6. Select the function that you created earlier.
  7. Add any possible parameters you want to send to the function to the request body (see the example image below).
  8. In the Add new parameter dropdown, select Authentication
  9. Select Managed identity as the Authentication type.
  10. Paste the Client ID (GUID) you copied to Notepad earlier on the function app Authentication blade into the Audience field.
  11. Save the logic app. We should be now good to go!

Afterword

That’s it! As usual, the setup is easy once you know how to do it. 🙂 If you found the article helpful, share it also with your colleagues — who knows, they might need to do this as a part of their projects. Also, feel free to follow me on social media to stay up to date on all the things that are going on. You can find links to all my social media profiles on the sidebar (or at the bottom for mobile).

Thank you for reading, and until next time!

Laura



11 thoughts on “How to securely trigger Azure Functions from Azure Logic Apps”

  • Hi Laura, I followed the steps but I received a 403 forbidden error when I called the function from the logic app. What do you think I made wrong?

    • I understand the situation. It seems like you haven’t allowed your function app to be accessed from the internet. You can configure this in the Networking tab of the function app.

      I also have the same question, as the blogger didn’t include this part of the configuration. I assume she is allowing the function app to be accessed from the internet. However, the real question is, what is the best approach here? Should you make it accessible from the internet, or should you create an IP restriction, for example, only allowing inbound access from APIM management or any other proxy-like solution?
      Please share your thoughts.

      BR,
      Augusto.

    • Hi,

      This issue might be related to the fact that Microsoft has introduced a new setting in the Identity Provider configurations since this blog post was originally written. By default, the setting allows requests to the function app only from the application itself, which results in the logic app being unable to call the function app. The Client application requirement setting needs to be changed to allow requests from specific client applications. I’ve now included this in the blog post.

      Laura

    • Thank you for creating such an informative, clear, and detailed blog. Your passion for the subject matter shines through in every post. As a Azure Developer you likes to tackle challenges, I’ve profited a lot from your content, and I wanted to take a moment to express my appreciation.

      I hope this small note can give something back in return.

  • Thank you thank you thank you so much for your ongoing contributions to the community, you’ve saved me hours of time and endless headaches when I’ve been trying to get these things to work. The articles from Microsoft always miss something out or get something wrong, if they even exist in the first place, and your guides always pull me out of a black hole of despair! Please keep sharing!

  • I followed the steps but i cant call the function app from my logic app, I’m getting an error:

    BadRequest. Http request failed as there is an error getting AD OAuth token: ‘AADSTS500011: The resource principal named xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx was not found in the tenant named xxxxx. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID

    • Please check the audience value passed in http request, it should be Clientid of the app registration which should also be one of the allowed audience in Azure AD Identity provider.

  • Great write up! Slightly different than the official Microsoft documentation (which didn’t work for me). However, in my testing, I did not have to grant the Logic App permissions to the Function App. Once I set the Logic App action to use a Managed Identity with the Audience value, I can execute the function app from the logic app successfully. Any ideas on what I might be missing?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.